There are many skeptics who do not believe ISO 27001 can help protect their information and/or information systems; one of their main arguments is: “Writing a policy or a procedure surely won’t help against someone who wants to steal your information.”
And I agree with them – simply writing a document won’t help.
Why won’t just a piece of paper help?
For instance, a hacker who has created malicious software and managed to bypass your firewall and anti-virus software doesn’t care if you have a Network security policy or not.
What’s more, a disgruntled IT employee who wants to delete your data or wants to stop your servers won’t mind your Access control policy.
All the same, a competitor who wants to steal your most precious know-how won’t be very impressed with the Classification policy you invested a lot of time in writing.
So really, just having the documents won’t help you a lot. This is why it is important to distinguish between two types of companies: (a) those who use frameworks like ISO 27001 to produce nice documents (in a very short time) and get an even nicer certificate they can show off with; and (b) those who may or may not want the certificate, but who definitely want to improve security in their company.
You can surely guess what the security will look like in (a) type of company, so let’s not waste time on them; the rest of this article concerns the (b) companies.
Why bother with documentation?
We can take an international standard like ISO 27001 to make a case about the documentation: it is true that ISO 27001 (like most of the other ISO standards) requires writing policies, procedures and plans, to maintain records, etc. (See also: List of mandatory documents required by ISO 27001.)
But ISO 27001 does not ask you to write policies and procedures just to give the auditors something to do; this may come as a shock to you: writing documents really isn’t the main point of ISO 27001. (See also: 5 greatest myths about ISO 27001.)
The main point of documents is to help you change the behavior of your employees, to make the change in your processes. For example, you probably have very good firewalls in your company, but they may not be maintained and/or configured properly; you may have a very secure system for authentication for your email, but if your employees receive the email on their smart phones with no protection whatsoever then this authentication system is not very useful. And there are dozens of such examples even for very small companies.
So, let me draw the following conclusion: it is not the technology that is wrong in most of the companies; what’s wrong is how this technology is used. This is why we need policies and procedures: they explain to everyone how to use the technology in a more secure way, and when everyone starts behaving differently, the level of security in your company will rise. (See also: 4 reasons why ISO 27001 is useful for techies.)
Of course, if you want your documents to change something, you have to make them really usable – see this article for explanation: Seven steps for implementing policies and procedures.
Why does the implementation take so long?
Very often, our new clients ask me: “How long will it take us to implement ISO 27001?”, and for a small company of 50 employees I usually answer them something like “6 to 8 months.” “Why that long?” they ask me. And then I have to explain that you can write all the documentation for ISO 27001 in just two weeks – simply fill in all the mandatory documents and you’re done.
But what takes time is for employees in your company to accept all those changes – if you sent 20 new policies and procedures at once to them, they will look at you with the greatest contempt (of course, we all know how that approach will end). So, if you want them to really accept all those changes, you have to create documents together with them, send them one by one, and conduct awareness and training in parallel to the publishing of documents. And that takes time – thus 6 to 8 months. See also: ISO 27001 project – How to make it work.
So remember – policies and procedures are not an aim in itself. When you stop treating ISO 27001 as just a document-producing exercise, you will start getting a real benefit from this standard: your employees will start behaving more securely.
See this white paper that explains which documents are mandatory for ISO 27001, and how to structure them: Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision)